--- /dev/null
+From 312ca38ddda64bac6513ec68e0ac3789b4eb44dc Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 5 Dec 2018 12:55:54 +0200
+Subject: cfg80211: Fix busy loop regression in ieee80211_ie_split_ric()
+
+From: Jouni Malinen <jouni@codeaurora.org>
+
+commit 312ca38ddda64bac6513ec68e0ac3789b4eb44dc upstream.
+
+This function was modified to support the information element extension
+case (WLAN_EID_EXTENSION) in a manner that would result in an infinite
+loop when going through set of IEs that include WLAN_EID_RIC_DATA and
+contain an IE that is in the after_ric array. The only place where this
+can currently happen is in mac80211 ieee80211_send_assoc() where
+ieee80211_ie_split_ric() is called with after_ric[].
+
+This can be triggered by valid data from user space nl80211
+association/connect request (i.e., requiring GENL_UNS_ADMIN_PERM). The
+only known application having an option to include WLAN_EID_RIC_DATA in
+these requests is wpa_supplicant and it had a bug that prevented this
+specific contents from being used (and because of that, not triggering
+this kernel bug in an automated test case ap_ft_ric) and now that this
+bug is fixed, it has a workaround to avoid this kernel issue.
+WLAN_EID_RIC_DATA is currently used only for testing purposes, so this
+does not cause significant harm for production use cases.
+
+Fixes: 2512b1b18d07 ("mac80211: extend ieee80211_ie_split to support EXTENSION")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1418,6 +1418,8 @@ size_t ieee80211_ie_split_ric(const u8 *
+ ies[pos + ext],
+ ext == 2))
+ pos = skip_ie(ies, ielen, pos);
++ else
++ break;
+ }
+ } else {
+ pos = skip_ie(ies, ielen, pos);
--- /dev/null
+From c988de29ca161823db6a7125e803d597ef75b49c Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <palcantara@suse.com>
+Date: Thu, 15 Nov 2018 15:20:52 +0100
+Subject: cifs: Fix separator when building path from dentry
+
+From: Paulo Alcantara <palcantara@suse.com>
+
+commit c988de29ca161823db6a7125e803d597ef75b49c upstream.
+
+Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for
+prefixpath too. Fixes a bug with smb1 UNIX extensions.
+
+Fixes: a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable")
+Signed-off-by: Paulo Alcantara <palcantara@suse.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -174,7 +174,7 @@ cifs_bp_rename_retry:
+
+ cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
+ memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
+- full_path[dfsplen] = '\\';
++ full_path[dfsplen] = dirsep;
+ for (i = 0; i < pplen-1; i++)
+ if (full_path[dfsplen+1+i] == '/')
+ full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);
--- /dev/null
+From e5bde04ccce64d808f8b00a489a1fe5825d285cb Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 22 Nov 2018 18:00:16 +0800
+Subject: crypto: do not free algorithm before using
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit e5bde04ccce64d808f8b00a489a1fe5825d285cb upstream.
+
+In multiple functions, the algorithm fields are read after its reference
+is dropped through crypto_mod_put. In this case, the algorithm memory
+may be freed, resulting in use-after-free bugs. This patch delays the
+put operation until the algorithm is never used.
+
+Fixes: 79c65d179a40 ("crypto: cbc - Convert to skcipher")
+Fixes: a7d85e06ed80 ("crypto: cfb - add support for Cipher FeedBack mode")
+Fixes: 043a44001b9e ("crypto: pcbc - Convert to skcipher")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/cbc.c | 6 ++++--
+ crypto/cfb.c | 6 ++++--
+ crypto/pcbc.c | 6 ++++--
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/crypto/cbc.c
++++ b/crypto/cbc.c
+@@ -140,9 +140,8 @@ static int crypto_cbc_create(struct cryp
+ spawn = skcipher_instance_ctx(inst);
+ err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
+ CRYPTO_ALG_TYPE_MASK);
+- crypto_mod_put(alg);
+ if (err)
+- goto err_free_inst;
++ goto err_put_alg;
+
+ err = crypto_inst_setname(skcipher_crypto_instance(inst), "cbc", alg);
+ if (err)
+@@ -174,12 +173,15 @@ static int crypto_cbc_create(struct cryp
+ err = skcipher_register_instance(tmpl, inst);
+ if (err)
+ goto err_drop_spawn;
++ crypto_mod_put(alg);
+
+ out:
+ return err;
+
+ err_drop_spawn:
+ crypto_drop_spawn(spawn);
++err_put_alg:
++ crypto_mod_put(alg);
+ err_free_inst:
+ kfree(inst);
+ goto out;
+--- a/crypto/cfb.c
++++ b/crypto/cfb.c
+@@ -286,9 +286,8 @@ static int crypto_cfb_create(struct cryp
+ spawn = skcipher_instance_ctx(inst);
+ err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
+ CRYPTO_ALG_TYPE_MASK);
+- crypto_mod_put(alg);
+ if (err)
+- goto err_free_inst;
++ goto err_put_alg;
+
+ err = crypto_inst_setname(skcipher_crypto_instance(inst), "cfb", alg);
+ if (err)
+@@ -317,12 +316,15 @@ static int crypto_cfb_create(struct cryp
+ err = skcipher_register_instance(tmpl, inst);
+ if (err)
+ goto err_drop_spawn;
++ crypto_mod_put(alg);
+
+ out:
+ return err;
+
+ err_drop_spawn:
+ crypto_drop_spawn(spawn);
++err_put_alg:
++ crypto_mod_put(alg);
+ err_free_inst:
+ kfree(inst);
+ goto out;
+--- a/crypto/pcbc.c
++++ b/crypto/pcbc.c
+@@ -244,9 +244,8 @@ static int crypto_pcbc_create(struct cry
+ spawn = skcipher_instance_ctx(inst);
+ err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
+ CRYPTO_ALG_TYPE_MASK);
+- crypto_mod_put(alg);
+ if (err)
+- goto err_free_inst;
++ goto err_put_alg;
+
+ err = crypto_inst_setname(skcipher_crypto_instance(inst), "pcbc", alg);
+ if (err)
+@@ -275,12 +274,15 @@ static int crypto_pcbc_create(struct cry
+ err = skcipher_register_instance(tmpl, inst);
+ if (err)
+ goto err_drop_spawn;
++ crypto_mod_put(alg);
+
+ out:
+ return err;
+
+ err_drop_spawn:
+ crypto_drop_spawn(spawn);
++err_put_alg:
++ crypto_mod_put(alg);
+ err_free_inst:
+ kfree(inst);
+ goto out;
--- /dev/null
+From 37c2578c0c40e286bc0d30bdc05290b2058cf66e Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Mon, 3 Dec 2018 00:54:35 +0000
+Subject: Drivers: hv: vmbus: Offload the handling of channels to two workqueues
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 37c2578c0c40e286bc0d30bdc05290b2058cf66e upstream.
+
+vmbus_process_offer() mustn't call channel->sc_creation_callback()
+directly for sub-channels, because sc_creation_callback() ->
+vmbus_open() may never get the host's response to the
+OPEN_CHANNEL message (the host may rescind a channel at any time,
+e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
+may not wake up the vmbus_open() as it's blocked due to a non-zero
+vmbus_connection.offer_in_progress, and finally we have a deadlock.
+
+The above is also true for primary channels, if the related device
+drivers use sync probing mode by default.
+
+And, usually the handling of primary channels and sub-channels can
+depend on each other, so we should offload them to different
+workqueues to avoid possible deadlock, e.g. in sync-probing mode,
+NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
+rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
+and waits for all the sub-channels to appear, but the latter
+can't get the rtnl_lock and this blocks the handling of sub-channels.
+
+The patch can fix the multiple-NIC deadlock described above for
+v3.x kernels (e.g. RHEL 7.x) which don't support async-probing
+of devices, and v4.4, v4.9, v4.14 and v4.18 which support async-probing
+but don't enable async-probing for Hyper-V drivers (yet).
+
+The patch can also fix the hang issue in sub-channel's handling described
+above for all versions of kernels, including v4.19 and v4.20-rc4.
+
+So actually the patch should be applied to all the existing kernels,
+not only the kernels that have 8195b1396ec8.
+
+Fixes: 8195b1396ec8 ("hv_netvsc: fix deadlock on hotplug")
+Cc: stable@vger.kernel.org
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel_mgmt.c | 189 ++++++++++++++++++++++++++++++----------------
+ drivers/hv/connection.c | 24 +++++
+ drivers/hv/hyperv_vmbus.h | 7 +
+ include/linux/hyperv.h | 7 +
+ 4 files changed, 161 insertions(+), 66 deletions(-)
+
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -447,61 +447,16 @@ void vmbus_free_channels(void)
+ }
+ }
+
+-/*
+- * vmbus_process_offer - Process the offer by creating a channel/device
+- * associated with this offer
+- */
+-static void vmbus_process_offer(struct vmbus_channel *newchannel)
++/* Note: the function can run concurrently for primary/sub channels. */
++static void vmbus_add_channel_work(struct work_struct *work)
+ {
+- struct vmbus_channel *channel;
+- bool fnew = true;
++ struct vmbus_channel *newchannel =
++ container_of(work, struct vmbus_channel, add_channel_work);
++ struct vmbus_channel *primary_channel = newchannel->primary_channel;
+ unsigned long flags;
+ u16 dev_type;
+ int ret;
+
+- /* Make sure this is a new offer */
+- mutex_lock(&vmbus_connection.channel_mutex);
+-
+- /*
+- * Now that we have acquired the channel_mutex,
+- * we can release the potentially racing rescind thread.
+- */
+- atomic_dec(&vmbus_connection.offer_in_progress);
+-
+- list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) {
+- if (!uuid_le_cmp(channel->offermsg.offer.if_type,
+- newchannel->offermsg.offer.if_type) &&
+- !uuid_le_cmp(channel->offermsg.offer.if_instance,
+- newchannel->offermsg.offer.if_instance)) {
+- fnew = false;
+- break;
+- }
+- }
+-
+- if (fnew)
+- list_add_tail(&newchannel->listentry,
+- &vmbus_connection.chn_list);
+-
+- mutex_unlock(&vmbus_connection.channel_mutex);
+-
+- if (!fnew) {
+- /*
+- * Check to see if this is a sub-channel.
+- */
+- if (newchannel->offermsg.offer.sub_channel_index != 0) {
+- /*
+- * Process the sub-channel.
+- */
+- newchannel->primary_channel = channel;
+- spin_lock_irqsave(&channel->lock, flags);
+- list_add_tail(&newchannel->sc_list, &channel->sc_list);
+- channel->num_sc++;
+- spin_unlock_irqrestore(&channel->lock, flags);
+- } else {
+- goto err_free_chan;
+- }
+- }
+-
+ dev_type = hv_get_dev_type(newchannel);
+
+ init_vp_index(newchannel, dev_type);
+@@ -519,27 +474,26 @@ static void vmbus_process_offer(struct v
+ /*
+ * This state is used to indicate a successful open
+ * so that when we do close the channel normally, we
+- * can cleanup properly
++ * can cleanup properly.
+ */
+ newchannel->state = CHANNEL_OPEN_STATE;
+
+- if (!fnew) {
+- struct hv_device *dev
+- = newchannel->primary_channel->device_obj;
++ if (primary_channel != NULL) {
++ /* newchannel is a sub-channel. */
++ struct hv_device *dev = primary_channel->device_obj;
+
+ if (vmbus_add_channel_kobj(dev, newchannel))
+- goto err_free_chan;
++ goto err_deq_chan;
++
++ if (primary_channel->sc_creation_callback != NULL)
++ primary_channel->sc_creation_callback(newchannel);
+
+- if (channel->sc_creation_callback != NULL)
+- channel->sc_creation_callback(newchannel);
+ newchannel->probe_done = true;
+ return;
+ }
+
+ /*
+- * Start the process of binding this offer to the driver
+- * We need to set the DeviceObject field before calling
+- * vmbus_child_dev_add()
++ * Start the process of binding the primary channel to the driver
+ */
+ newchannel->device_obj = vmbus_device_create(
+ &newchannel->offermsg.offer.if_type,
+@@ -568,13 +522,28 @@ static void vmbus_process_offer(struct v
+
+ err_deq_chan:
+ mutex_lock(&vmbus_connection.channel_mutex);
+- list_del(&newchannel->listentry);
++
++ /*
++ * We need to set the flag, otherwise
++ * vmbus_onoffer_rescind() can be blocked.
++ */
++ newchannel->probe_done = true;
++
++ if (primary_channel == NULL) {
++ list_del(&newchannel->listentry);
++ } else {
++ spin_lock_irqsave(&primary_channel->lock, flags);
++ list_del(&newchannel->sc_list);
++ spin_unlock_irqrestore(&primary_channel->lock, flags);
++ }
++
+ mutex_unlock(&vmbus_connection.channel_mutex);
+
+ if (newchannel->target_cpu != get_cpu()) {
+ put_cpu();
+ smp_call_function_single(newchannel->target_cpu,
+- percpu_channel_deq, newchannel, true);
++ percpu_channel_deq,
++ newchannel, true);
+ } else {
+ percpu_channel_deq(newchannel);
+ put_cpu();
+@@ -582,14 +551,104 @@ err_deq_chan:
+
+ vmbus_release_relid(newchannel->offermsg.child_relid);
+
+-err_free_chan:
+ free_channel(newchannel);
+ }
+
+ /*
++ * vmbus_process_offer - Process the offer by creating a channel/device
++ * associated with this offer
++ */
++static void vmbus_process_offer(struct vmbus_channel *newchannel)
++{
++ struct vmbus_channel *channel;
++ struct workqueue_struct *wq;
++ unsigned long flags;
++ bool fnew = true;
++
++ mutex_lock(&vmbus_connection.channel_mutex);
++
++ /*
++ * Now that we have acquired the channel_mutex,
++ * we can release the potentially racing rescind thread.
++ */
++ atomic_dec(&vmbus_connection.offer_in_progress);
++
++ list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) {
++ if (!uuid_le_cmp(channel->offermsg.offer.if_type,
++ newchannel->offermsg.offer.if_type) &&
++ !uuid_le_cmp(channel->offermsg.offer.if_instance,
++ newchannel->offermsg.offer.if_instance)) {
++ fnew = false;
++ break;
++ }
++ }
++
++ if (fnew)
++ list_add_tail(&newchannel->listentry,
++ &vmbus_connection.chn_list);
++ else {
++ /*
++ * Check to see if this is a valid sub-channel.
++ */
++ if (newchannel->offermsg.offer.sub_channel_index == 0) {
++ mutex_unlock(&vmbus_connection.channel_mutex);
++ /*
++ * Don't call free_channel(), because newchannel->kobj
++ * is not initialized yet.
++ */
++ kfree(newchannel);
++ WARN_ON_ONCE(1);
++ return;
++ }
++ /*
++ * Process the sub-channel.
++ */
++ newchannel->primary_channel = channel;
++ spin_lock_irqsave(&channel->lock, flags);
++ list_add_tail(&newchannel->sc_list, &channel->sc_list);
++ spin_unlock_irqrestore(&channel->lock, flags);
++ }
++
++ mutex_unlock(&vmbus_connection.channel_mutex);
++
++ /*
++ * vmbus_process_offer() mustn't call channel->sc_creation_callback()
++ * directly for sub-channels, because sc_creation_callback() ->
++ * vmbus_open() may never get the host's response to the
++ * OPEN_CHANNEL message (the host may rescind a channel at any time,
++ * e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
++ * may not wake up the vmbus_open() as it's blocked due to a non-zero
++ * vmbus_connection.offer_in_progress, and finally we have a deadlock.
++ *
++ * The above is also true for primary channels, if the related device
++ * drivers use sync probing mode by default.
++ *
++ * And, usually the handling of primary channels and sub-channels can
++ * depend on each other, so we should offload them to different
++ * workqueues to avoid possible deadlock, e.g. in sync-probing mode,
++ * NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
++ * rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
++ * and waits for all the sub-channels to appear, but the latter
++ * can't get the rtnl_lock and this blocks the handling of
++ * sub-channels.
++ */
++ INIT_WORK(&newchannel->add_channel_work, vmbus_add_channel_work);
++ wq = fnew ? vmbus_connection.handle_primary_chan_wq :
++ vmbus_connection.handle_sub_chan_wq;
++ queue_work(wq, &newchannel->add_channel_work);
++}
++
++/*
+ * We use this state to statically distribute the channel interrupt load.
+ */
+ static int next_numa_node_id;
++/*
++ * init_vp_index() accesses global variables like next_numa_node_id, and
++ * it can run concurrently for primary channels and sub-channels: see
++ * vmbus_process_offer(), so we need the lock to protect the global
++ * variables.
++ */
++static DEFINE_SPINLOCK(bind_channel_to_cpu_lock);
+
+ /*
+ * Starting with Win8, we can statically distribute the incoming
+@@ -625,6 +684,8 @@ static void init_vp_index(struct vmbus_c
+ return;
+ }
+
++ spin_lock(&bind_channel_to_cpu_lock);
++
+ /*
+ * Based on the channel affinity policy, we will assign the NUMA
+ * nodes.
+@@ -707,6 +768,8 @@ static void init_vp_index(struct vmbus_c
+ channel->target_cpu = cur_cpu;
+ channel->target_vp = hv_cpu_number_to_vp_number(cur_cpu);
+
++ spin_unlock(&bind_channel_to_cpu_lock);
++
+ free_cpumask_var(available_mask);
+ }
+
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -190,6 +190,20 @@ int vmbus_connect(void)
+ goto cleanup;
+ }
+
++ vmbus_connection.handle_primary_chan_wq =
++ create_workqueue("hv_pri_chan");
++ if (!vmbus_connection.handle_primary_chan_wq) {
++ ret = -ENOMEM;
++ goto cleanup;
++ }
++
++ vmbus_connection.handle_sub_chan_wq =
++ create_workqueue("hv_sub_chan");
++ if (!vmbus_connection.handle_sub_chan_wq) {
++ ret = -ENOMEM;
++ goto cleanup;
++ }
++
+ INIT_LIST_HEAD(&vmbus_connection.chn_msg_list);
+ spin_lock_init(&vmbus_connection.channelmsg_lock);
+
+@@ -280,10 +294,14 @@ void vmbus_disconnect(void)
+ */
+ vmbus_initiate_unload(false);
+
+- if (vmbus_connection.work_queue) {
+- drain_workqueue(vmbus_connection.work_queue);
++ if (vmbus_connection.handle_sub_chan_wq)
++ destroy_workqueue(vmbus_connection.handle_sub_chan_wq);
++
++ if (vmbus_connection.handle_primary_chan_wq)
++ destroy_workqueue(vmbus_connection.handle_primary_chan_wq);
++
++ if (vmbus_connection.work_queue)
+ destroy_workqueue(vmbus_connection.work_queue);
+- }
+
+ if (vmbus_connection.int_page) {
+ free_pages((unsigned long)vmbus_connection.int_page, 0);
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -335,7 +335,14 @@ struct vmbus_connection {
+ struct list_head chn_list;
+ struct mutex channel_mutex;
+
++ /*
++ * An offer message is handled first on the work_queue, and then
++ * is further handled on handle_primary_chan_wq or
++ * handle_sub_chan_wq.
++ */
+ struct workqueue_struct *work_queue;
++ struct workqueue_struct *handle_primary_chan_wq;
++ struct workqueue_struct *handle_sub_chan_wq;
+ };
+
+
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -904,6 +904,13 @@ struct vmbus_channel {
+
+ bool probe_done;
+
++ /*
++ * We must offload the handling of the primary/sub channels
++ * from the single-threaded vmbus_connection.work_queue to
++ * two different workqueue, otherwise we can block
++ * vmbus_connection.work_queue and hang: see vmbus_process_offer().
++ */
++ struct work_struct add_channel_work;
+ };
+
+ static inline bool is_hvsock_channel(const struct vmbus_channel *c)
--- /dev/null
+From b52b6738cc2d50d2a8f4d0095bcb5a86716008a5 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 28 Nov 2018 23:28:17 -0500
+Subject: drm/amdgpu/gmc8: always load MC firmware in the driver
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit b52b6738cc2d50d2a8f4d0095bcb5a86716008a5 upstream.
+
+Some power features rely on the driver loaded version so always
+load the MC firmware from the driver even if the vbios loaded
+a version already.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -365,7 +365,7 @@ static int gmc_v8_0_polaris_mc_load_micr
+ const struct mc_firmware_header_v1_0 *hdr;
+ const __le32 *fw_data = NULL;
+ const __le32 *io_mc_regs = NULL;
+- u32 data, vbios_version;
++ u32 data;
+ int i, ucode_size, regs_size;
+
+ /* Skip MC ucode loading on SR-IOV capable boards.
+@@ -376,13 +376,6 @@ static int gmc_v8_0_polaris_mc_load_micr
+ if (amdgpu_sriov_bios(adev))
+ return 0;
+
+- WREG32(mmMC_SEQ_IO_DEBUG_INDEX, 0x9F);
+- data = RREG32(mmMC_SEQ_IO_DEBUG_DATA);
+- vbios_version = data & 0xf;
+-
+- if (vbios_version == 0)
+- return 0;
+-
+ if (!adev->gmc.fw)
+ return -EINVAL;
+
--- /dev/null
+From a81a7c9c9ea3042ab02d66ac35def74abf091c15 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 28 Nov 2018 23:25:41 -0500
+Subject: drm/amdgpu/gmc8: update MC firmware for polaris
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit a81a7c9c9ea3042ab02d66ac35def74abf091c15 upstream.
+
+Some variants require different MC firmware images.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -55,6 +55,8 @@ MODULE_FIRMWARE("amdgpu/tonga_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris11_k_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris10_k_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_k_mc.bin");
+
+ static const u32 golden_settings_tonga_a11[] =
+@@ -224,22 +226,39 @@ static int gmc_v8_0_init_microcode(struc
+ chip_name = "tonga";
+ break;
+ case CHIP_POLARIS11:
+- chip_name = "polaris11";
++ if (((adev->pdev->device == 0x67ef) &&
++ ((adev->pdev->revision == 0xe0) ||
++ (adev->pdev->revision == 0xe5))) ||
++ ((adev->pdev->device == 0x67ff) &&
++ ((adev->pdev->revision == 0xcf) ||
++ (adev->pdev->revision == 0xef) ||
++ (adev->pdev->revision == 0xff))))
++ chip_name = "polaris11_k";
++ else if ((adev->pdev->device == 0x67ef) &&
++ (adev->pdev->revision == 0xe2))
++ chip_name = "polaris11_k";
++ else
++ chip_name = "polaris11";
+ break;
+ case CHIP_POLARIS10:
+- chip_name = "polaris10";
++ if ((adev->pdev->device == 0x67df) &&
++ ((adev->pdev->revision == 0xe1) ||
++ (adev->pdev->revision == 0xf7)))
++ chip_name = "polaris10_k";
++ else
++ chip_name = "polaris10";
+ break;
+ case CHIP_POLARIS12:
+- chip_name = "polaris12";
+ if (((adev->pdev->device == 0x6987) &&
+ ((adev->pdev->revision == 0xc0) ||
+ (adev->pdev->revision == 0xc3))) ||
+ ((adev->pdev->device == 0x6981) &&
+ ((adev->pdev->revision == 0x00) ||
+ (adev->pdev->revision == 0x01) ||
+- (adev->pdev->revision == 0x10)))) {
++ (adev->pdev->revision == 0x10))))
+ chip_name = "polaris12_k";
+- }
++ else
++ chip_name = "polaris12";
+ break;
+ case CHIP_FIJI:
+ case CHIP_CARRIZO:
--- /dev/null
+From d7fd67653f847327e545bdb198b901ee124afd7c Mon Sep 17 00:00:00 2001
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+Date: Thu, 22 Nov 2018 17:53:00 +0800
+Subject: drm/amdgpu: update mc firmware image for polaris12 variants
+
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+
+commit d7fd67653f847327e545bdb198b901ee124afd7c upstream.
+
+Some new variants require updated firmware.
+
+Signed-off-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -55,6 +55,7 @@ MODULE_FIRMWARE("amdgpu/tonga_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris12_k_mc.bin");
+
+ static const u32 golden_settings_tonga_a11[] =
+ {
+@@ -230,6 +231,15 @@ static int gmc_v8_0_init_microcode(struc
+ break;
+ case CHIP_POLARIS12:
+ chip_name = "polaris12";
++ if (((adev->pdev->device == 0x6987) &&
++ ((adev->pdev->revision == 0xc0) ||
++ (adev->pdev->revision == 0xc3))) ||
++ ((adev->pdev->device == 0x6981) &&
++ ((adev->pdev->revision == 0x00) ||
++ (adev->pdev->revision == 0x01) ||
++ (adev->pdev->revision == 0x10)))) {
++ chip_name = "polaris12_k";
++ }
+ break;
+ case CHIP_FIJI:
+ case CHIP_CARRIZO:
--- /dev/null
+From 86c1c87d0e6241cbe35bd52badfc84b154e1b959 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 26 Jul 2018 17:15:27 +0100
+Subject: drm/i915: Downgrade Gen9 Plane WM latency error
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 86c1c87d0e6241cbe35bd52badfc84b154e1b959 upstream.
+
+According to intel_read_wm_latency() it is perfectly legal for one WM
+and all subsequent levels to be 0 (and the deeper powersaving states
+disabled), so don't shout *ERROR*, over and over again.
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Ville Syrjala <ville.syrjala@linux.intel.com>
+Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180726161527.10516-1-chris@chris-wilson.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2951,8 +2951,8 @@ static void intel_print_wm_latency(struc
+ unsigned int latency = wm[level];
+
+ if (latency == 0) {
+- DRM_ERROR("%s WM%d latency not provided\n",
+- name, level);
++ DRM_DEBUG_KMS("%s WM%d latency not provided\n",
++ name, level);
+ continue;
+ }
+
--- /dev/null
+From ce85882860f0e756f7066cbda1c43e8b50b73ab6 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Thu, 29 Nov 2018 10:42:26 +0100
+Subject: drm/lease: Send a distinct uevent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit ce85882860f0e756f7066cbda1c43e8b50b73ab6 upstream.
+
+Sending the exact same hotplug event is not great uapi. Luckily the
+only already merged implementation of leases (in the -modesetting
+driver) doesn't care about what kind of uevent it gets, and
+unconditionally processes both hotplug and lease changes. So we can
+still adjust the uapi here.
+
+But e.g. weston tries to filter stuff, and I guess others might want
+to do that too. Try to make that possible. Cc: stable since it's uapi
+adjustement that we want to roll out everywhere.
+
+Michel Dänzer mentioned on irc that -amdgpu also has lease support. It
+has the same code flow as -modesetting though, so we can still go
+ahead.
+
+v2: Mention -amdgpu (Michel)
+
+Cc: Keith Packard <keithp@keithp.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181129094226.30591-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_internal.h | 2 ++
+ drivers/gpu/drm/drm_lease.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 10 ++++++++++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_internal.h
++++ b/drivers/gpu/drm/drm_internal.h
+@@ -99,6 +99,8 @@ struct device *drm_sysfs_minor_alloc(str
+ int drm_sysfs_connector_add(struct drm_connector *connector);
+ void drm_sysfs_connector_remove(struct drm_connector *connector);
+
++void drm_sysfs_lease_event(struct drm_device *dev);
++
+ /* drm_gem.c */
+ int drm_gem_init(struct drm_device *dev);
+ void drm_gem_destroy(struct drm_device *dev);
+--- a/drivers/gpu/drm/drm_lease.c
++++ b/drivers/gpu/drm/drm_lease.c
+@@ -296,7 +296,7 @@ void drm_lease_destroy(struct drm_master
+
+ if (master->lessor) {
+ /* Tell the master to check the lessee list */
+- drm_sysfs_hotplug_event(dev);
++ drm_sysfs_lease_event(dev);
+ drm_master_put(&master->lessor);
+ }
+
+--- a/drivers/gpu/drm/drm_sysfs.c
++++ b/drivers/gpu/drm/drm_sysfs.c
+@@ -301,6 +301,16 @@ void drm_sysfs_connector_remove(struct d
+ connector->kdev = NULL;
+ }
+
++void drm_sysfs_lease_event(struct drm_device *dev)
++{
++ char *event_string = "LEASE=1";
++ char *envp[] = { event_string, NULL };
++
++ DRM_DEBUG("generating lease event\n");
++
++ kobject_uevent_env(&dev->primary->kdev->kobj, KOBJ_CHANGE, envp);
++}
++
+ /**
+ * drm_sysfs_hotplug_event - generate a DRM uevent
+ * @dev: DRM device
--- /dev/null
+From 2189463dba3eac10d7264a40ede12fc1a3c06fb1 Mon Sep 17 00:00:00 2001
+From: Robert Foss <robert.foss@collabora.com>
+Date: Mon, 5 Nov 2018 11:13:12 +0100
+Subject: drm/msm: Move fence put to where failure occurs
+
+From: Robert Foss <robert.foss@collabora.com>
+
+commit 2189463dba3eac10d7264a40ede12fc1a3c06fb1 upstream.
+
+If dma_fence_wait fails to wait for a supplied in-fence in
+msm_ioctl_gem_submit, make sure we release that in-fence.
+
+Also remove this dma_fence_put() from the 'out' label.
+
+Signed-off-by: Robert Foss <robert.foss@collabora.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -410,7 +410,6 @@ int msm_ioctl_gem_submit(struct drm_devi
+ struct msm_file_private *ctx = file->driver_priv;
+ struct msm_gem_submit *submit;
+ struct msm_gpu *gpu = priv->gpu;
+- struct dma_fence *in_fence = NULL;
+ struct sync_file *sync_file = NULL;
+ struct msm_gpu_submitqueue *queue;
+ struct msm_ringbuffer *ring;
+@@ -443,6 +442,8 @@ int msm_ioctl_gem_submit(struct drm_devi
+ ring = gpu->rb[queue->prio];
+
+ if (args->flags & MSM_SUBMIT_FENCE_FD_IN) {
++ struct dma_fence *in_fence;
++
+ in_fence = sync_file_get_fence(args->fence_fd);
+
+ if (!in_fence)
+@@ -452,11 +453,13 @@ int msm_ioctl_gem_submit(struct drm_devi
+ * Wait if the fence is from a foreign context, or if the fence
+ * array contains any fence from a foreign context.
+ */
+- if (!dma_fence_match_context(in_fence, ring->fctx->context)) {
++ ret = 0;
++ if (!dma_fence_match_context(in_fence, ring->fctx->context))
+ ret = dma_fence_wait(in_fence, true);
+- if (ret)
+- return ret;
+- }
++
++ dma_fence_put(in_fence);
++ if (ret)
++ return ret;
+ }
+
+ ret = mutex_lock_interruptible(&dev->struct_mutex);
+@@ -582,8 +585,6 @@ int msm_ioctl_gem_submit(struct drm_devi
+ }
+
+ out:
+- if (in_fence)
+- dma_fence_put(in_fence);
+ submit_cleanup(submit);
+ if (ret)
+ msm_gem_submit_free(submit);
--- /dev/null
+From 06fd9ab12b804451b14d538adbf98a57c2d6846b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 5 Dec 2018 11:21:49 +0100
+Subject: gnss: sirf: fix activation retry handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 06fd9ab12b804451b14d538adbf98a57c2d6846b upstream.
+
+Fix activation helper which would return -ETIMEDOUT even if the last
+retry attempt was successful.
+
+Also change the semantics of the retries variable so that it actually
+holds the number of retries (rather than tries).
+
+Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers")
+Cc: stable <stable@vger.kernel.org> # 4.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gnss/sirf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gnss/sirf.c
++++ b/drivers/gnss/sirf.c
+@@ -168,7 +168,7 @@ static int sirf_set_active(struct sirf_d
+ else
+ timeout = SIRF_HIBERNATE_TIMEOUT;
+
+- while (retries-- > 0) {
++ do {
+ sirf_pulse_on_off(data);
+ ret = sirf_wait_for_power_state(data, active, timeout);
+ if (ret < 0) {
+@@ -179,9 +179,9 @@ static int sirf_set_active(struct sirf_d
+ }
+
+ break;
+- }
++ } while (retries--);
+
+- if (retries == 0)
++ if (retries < 0)
+ return -ETIMEDOUT;
+
+ return 0;
--- /dev/null
+From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001
+From: Macpaul Lin <macpaul@gmail.com>
+Date: Wed, 17 Oct 2018 23:08:38 +0800
+Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
+
+From: Macpaul Lin <macpaul@gmail.com>
+
+commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.
+
+This patch is trying to fix KE issue due to
+"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
+reported by Syzkaller scan."
+
+[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
+[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
+[26364:syz-executor0]Call trace:
+[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
+[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
+[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
+[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
+[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
+[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
+[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
+[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
+[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
+[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
+[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
+[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
+[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
+[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
+[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
+[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
+[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]Memory state around the buggy address:
+[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
+[26364:syz-executor0][name:report&] ^
+[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
+[26364:syz-executor0]------------[cut here]------------
+
+After checking the source code, we've found there might be an out-of-bounds
+access to "config[len - 1]" array when the variable "len" is zero.
+
+Signed-off-by: Macpaul Lin <macpaul@gmail.com>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/kgdboc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/kgdboc.c
++++ b/drivers/tty/serial/kgdboc.c
+@@ -230,7 +230,7 @@ static void kgdboc_put_char(u8 chr)
+ static int param_set_kgdboc_var(const char *kmessage,
+ const struct kernel_param *kp)
+ {
+- int len = strlen(kmessage);
++ size_t len = strlen(kmessage);
+
+ if (len >= MAX_CONFIG_LEN) {
+ printk(KERN_ERR "kgdboc: config string too long\n");
+@@ -252,7 +252,7 @@ static int param_set_kgdboc_var(const ch
+
+ strcpy(config, kmessage);
+ /* Chop out \n char as a result of echo */
+- if (config[len - 1] == '\n')
++ if (len && config[len - 1] == '\n')
+ config[len - 1] = '\0';
+
+ if (configured == 1)
--- /dev/null
+From 43a1b0cb4cd6dbfd3cd9c10da663368394d299d8 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Fri, 24 Aug 2018 02:16:12 +0900
+Subject: kprobes/x86: Fix instruction patching corruption when copying more than one RIP-relative instruction
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 43a1b0cb4cd6dbfd3cd9c10da663368394d299d8 upstream.
+
+After copy_optimized_instructions() copies several instructions
+to the working buffer it tries to fix up the real RIP address, but it
+adjusts the RIP-relative instruction with an incorrect RIP address
+for the 2nd and subsequent instructions due to a bug in the logic.
+
+This will break the kernel pretty badly (with likely outcomes such as
+a kernel freeze, a crash, or worse) because probed instructions can refer
+to the wrong data.
+
+For example putting kprobes on cpumask_next() typically hits this bug.
+
+cpumask_next() is normally like below if CONFIG_CPUMASK_OFFSTACK=y
+(in this case nr_cpumask_bits is an alias of nr_cpu_ids):
+
+ <cpumask_next>:
+ 48 89 f0 mov %rsi,%rax
+ 8b 35 7b fb e2 00 mov 0xe2fb7b(%rip),%esi # ffffffff82db9e64 <nr_cpu_ids>
+ 55 push %rbp
+...
+
+If we put a kprobe on it and it gets jump-optimized, it gets
+patched by the kprobes code like this:
+
+ <cpumask_next>:
+ e9 95 7d 07 1e jmpq 0xffffffffa000207a
+ 7b fb jnp 0xffffffff81f8a2e2 <cpumask_next+2>
+ e2 00 loop 0xffffffff81f8a2e9 <cpumask_next+9>
+ 55 push %rbp
+
+This shows that the first two MOV instructions were copied to a
+trampoline buffer at 0xffffffffa000207a.
+
+Here is the disassembled result of the trampoline, skipping
+the optprobe template instructions:
+
+ # Dump of assembly code from 0xffffffffa000207a to 0xffffffffa00020ea:
+
+ 54 push %rsp
+ ...
+ 48 83 c4 08 add $0x8,%rsp
+ 9d popfq
+ 48 89 f0 mov %rsi,%rax
+ 8b 35 82 7d db e2 mov -0x1d24827e(%rip),%esi # 0xffffffff82db9e67 <nr_cpu_ids+3>
+
+This dump shows that the second MOV accesses *(nr_cpu_ids+3) instead of
+the original *nr_cpu_ids. This leads to a kernel freeze because
+cpumask_next() always returns 0 and for_each_cpu() never ends.
+
+Fix this by adding 'len' correctly to the real RIP address while
+copying.
+
+[ mingo: Improved the changelog. ]
+
+Reported-by: Michael Rodin <michael@rodin.online>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org # v4.15+
+Fixes: 63fef14fc98a ("kprobes/x86: Make insn buffer always ROX and use text_poke()")
+Link: http://lkml.kernel.org/r/153504457253.22602.1314289671019919596.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kprobes/opt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/kprobes/opt.c
++++ b/arch/x86/kernel/kprobes/opt.c
+@@ -189,7 +189,7 @@ static int copy_optimized_instructions(u
+ int len = 0, ret;
+
+ while (len < RELATIVEJUMP_SIZE) {
+- ret = __copy_instruction(dest + len, src + len, real, &insn);
++ ret = __copy_instruction(dest + len, src + len, real + len, &insn);
+ if (!ret || !can_boost(&insn, src + len))
+ return -EINVAL;
+ len += ret;
--- /dev/null
+From ae86cbfef3818300f1972e52f67a93211acb0e24 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sat, 24 Nov 2018 10:47:04 -0800
+Subject: libnvdimm, pfn: Pad pfn namespaces relative to other regions
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit ae86cbfef3818300f1972e52f67a93211acb0e24 upstream.
+
+Commit cfe30b872058 "libnvdimm, pmem: adjust for section collisions with
+'System RAM'" enabled Linux to workaround occasions where platform
+firmware arranges for "System RAM" and "Persistent Memory" to collide
+within a single section boundary. Unfortunately, as reported in this
+issue [1], platform firmware can inflict the same collision between
+persistent memory regions.
+
+The approach of interrogating iomem_resource does not work in this
+case because platform firmware may merge multiple regions into a single
+iomem_resource range. Instead provide a method to interrogate regions
+that share the same parent bus.
+
+This is a stop-gap until the core-MM can grow support for hotplug on
+sub-section boundaries.
+
+[1]: https://github.com/pmem/ndctl/issues/76
+
+Fixes: cfe30b872058 ("libnvdimm, pmem: adjust for section collisions with...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Patrick Geary <patrickg@supermicro.com>
+Tested-by: Patrick Geary <patrickg@supermicro.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/nd-core.h | 2 +
+ drivers/nvdimm/pfn_devs.c | 64 ++++++++++++++++++++++++-------------------
+ drivers/nvdimm/region_devs.c | 41 +++++++++++++++++++++++++++
+ 3 files changed, 80 insertions(+), 27 deletions(-)
+
+--- a/drivers/nvdimm/nd-core.h
++++ b/drivers/nvdimm/nd-core.h
+@@ -112,6 +112,8 @@ resource_size_t nd_pmem_available_dpa(st
+ struct nd_mapping *nd_mapping, resource_size_t *overlap);
+ resource_size_t nd_blk_available_dpa(struct nd_region *nd_region);
+ resource_size_t nd_region_available_dpa(struct nd_region *nd_region);
++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start,
++ resource_size_t size);
+ resource_size_t nvdimm_allocated_dpa(struct nvdimm_drvdata *ndd,
+ struct nd_label_id *label_id);
+ int alias_dpa_busy(struct device *dev, void *data);
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -590,14 +590,47 @@ static u64 phys_pmem_align_down(struct n
+ ALIGN_DOWN(phys, nd_pfn->align));
+ }
+
++/*
++ * Check if pmem collides with 'System RAM', or other regions when
++ * section aligned. Trim it accordingly.
++ */
++static void trim_pfn_device(struct nd_pfn *nd_pfn, u32 *start_pad, u32 *end_trunc)
++{
++ struct nd_namespace_common *ndns = nd_pfn->ndns;
++ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev);
++ struct nd_region *nd_region = to_nd_region(nd_pfn->dev.parent);
++ const resource_size_t start = nsio->res.start;
++ const resource_size_t end = start + resource_size(&nsio->res);
++ resource_size_t adjust, size;
++
++ *start_pad = 0;
++ *end_trunc = 0;
++
++ adjust = start - PHYS_SECTION_ALIGN_DOWN(start);
++ size = resource_size(&nsio->res) + adjust;
++ if (region_intersects(start - adjust, size, IORESOURCE_SYSTEM_RAM,
++ IORES_DESC_NONE) == REGION_MIXED
++ || nd_region_conflict(nd_region, start - adjust, size))
++ *start_pad = PHYS_SECTION_ALIGN_UP(start) - start;
++
++ /* Now check that end of the range does not collide. */
++ adjust = PHYS_SECTION_ALIGN_UP(end) - end;
++ size = resource_size(&nsio->res) + adjust;
++ if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
++ IORES_DESC_NONE) == REGION_MIXED
++ || !IS_ALIGNED(end, nd_pfn->align)
++ || nd_region_conflict(nd_region, start, size + adjust))
++ *end_trunc = end - phys_pmem_align_down(nd_pfn, end);
++}
++
+ static int nd_pfn_init(struct nd_pfn *nd_pfn)
+ {
+ u32 dax_label_reserve = is_nd_dax(&nd_pfn->dev) ? SZ_128K : 0;
+ struct nd_namespace_common *ndns = nd_pfn->ndns;
+- u32 start_pad = 0, end_trunc = 0;
++ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev);
+ resource_size_t start, size;
+- struct nd_namespace_io *nsio;
+ struct nd_region *nd_region;
++ u32 start_pad, end_trunc;
+ struct nd_pfn_sb *pfn_sb;
+ unsigned long npfns;
+ phys_addr_t offset;
+@@ -629,30 +662,7 @@ static int nd_pfn_init(struct nd_pfn *nd
+
+ memset(pfn_sb, 0, sizeof(*pfn_sb));
+
+- /*
+- * Check if pmem collides with 'System RAM' when section aligned and
+- * trim it accordingly
+- */
+- nsio = to_nd_namespace_io(&ndns->dev);
+- start = PHYS_SECTION_ALIGN_DOWN(nsio->res.start);
+- size = resource_size(&nsio->res);
+- if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+- IORES_DESC_NONE) == REGION_MIXED) {
+- start = nsio->res.start;
+- start_pad = PHYS_SECTION_ALIGN_UP(start) - start;
+- }
+-
+- start = nsio->res.start;
+- size = PHYS_SECTION_ALIGN_UP(start + size) - start;
+- if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+- IORES_DESC_NONE) == REGION_MIXED
+- || !IS_ALIGNED(start + resource_size(&nsio->res),
+- nd_pfn->align)) {
+- size = resource_size(&nsio->res);
+- end_trunc = start + size - phys_pmem_align_down(nd_pfn,
+- start + size);
+- }
+-
++ trim_pfn_device(nd_pfn, &start_pad, &end_trunc);
+ if (start_pad + end_trunc)
+ dev_info(&nd_pfn->dev, "%s alignment collision, truncate %d bytes\n",
+ dev_name(&ndns->dev), start_pad + end_trunc);
+@@ -663,7 +673,7 @@ static int nd_pfn_init(struct nd_pfn *nd
+ * implementation will limit the pfns advertised through
+ * ->direct_access() to those that are included in the memmap.
+ */
+- start += start_pad;
++ start = nsio->res.start + start_pad;
+ size = resource_size(&nsio->res);
+ npfns = PFN_SECTION_ALIGN_UP((size - start_pad - end_trunc - SZ_8K)
+ / PAGE_SIZE);
+--- a/drivers/nvdimm/region_devs.c
++++ b/drivers/nvdimm/region_devs.c
+@@ -1184,6 +1184,47 @@ int nvdimm_has_cache(struct nd_region *n
+ }
+ EXPORT_SYMBOL_GPL(nvdimm_has_cache);
+
++struct conflict_context {
++ struct nd_region *nd_region;
++ resource_size_t start, size;
++};
++
++static int region_conflict(struct device *dev, void *data)
++{
++ struct nd_region *nd_region;
++ struct conflict_context *ctx = data;
++ resource_size_t res_end, region_end, region_start;
++
++ if (!is_memory(dev))
++ return 0;
++
++ nd_region = to_nd_region(dev);
++ if (nd_region == ctx->nd_region)
++ return 0;
++
++ res_end = ctx->start + ctx->size;
++ region_start = nd_region->ndr_start;
++ region_end = region_start + nd_region->ndr_size;
++ if (ctx->start >= region_start && ctx->start < region_end)
++ return -EBUSY;
++ if (res_end > region_start && res_end <= region_end)
++ return -EBUSY;
++ return 0;
++}
++
++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start,
++ resource_size_t size)
++{
++ struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nd_region->dev);
++ struct conflict_context ctx = {
++ .nd_region = nd_region,
++ .start = start,
++ .size = size,
++ };
++
++ return device_for_each_child(&nvdimm_bus->dev, &ctx, region_conflict);
++}
++
+ void __exit nd_region_devs_exit(void)
+ {
+ ida_destroy(®ion_ida);
--- /dev/null
+From 5c21e8100dfd57c806e833ae905e26efbb87840f Mon Sep 17 00:00:00 2001
+From: Ben Greear <greearb@candelatech.com>
+Date: Tue, 23 Oct 2018 13:36:52 -0700
+Subject: mac80211: Clear beacon_int in ieee80211_do_stop
+
+From: Ben Greear <greearb@candelatech.com>
+
+commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream.
+
+This fixes stale beacon-int values that would keep a netdev
+from going up.
+
+To reproduce:
+
+Create two VAP on one radio.
+vap1 has beacon-int 100, start it.
+vap2 has beacon-int 240, start it (and it will fail
+ because beacon-int mismatch).
+reconfigure vap2 to have beacon-int 100 and start it.
+ It will fail because the stale beacon-int 240 will be used
+ in the ifup path and hostapd never gets a chance to set the
+ new beacon interval.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1015,6 +1015,8 @@ static void ieee80211_do_stop(struct iee
+ if (local->open_count == 0)
+ ieee80211_clear_tx_pending(local);
+
++ sdata->vif.bss_conf.beacon_int = 0;
++
+ /*
+ * If the interface goes down while suspended, presumably because
+ * the device was unplugged and that happens before our resume,
--- /dev/null
+From c752cac9db1b0c469db7ba9d17af4ba708984db5 Mon Sep 17 00:00:00 2001
+From: Yan-Hsuan Chuang <yhchuang@realtek.com>
+Date: Tue, 23 Oct 2018 11:24:44 +0800
+Subject: mac80211: fix GFP_KERNEL under tasklet context
+
+From: Yan-Hsuan Chuang <yhchuang@realtek.com>
+
+commit c752cac9db1b0c469db7ba9d17af4ba708984db5 upstream.
+
+cfg80211_sta_opmode_change_notify needs a gfp_t flag to hint the nl80211
+stack when allocating new skb, but it is called under tasklet context
+here with GFP_KERNEL and kernel will yield a warning about it.
+
+Cc: stable@vger.kernel.org
+Fixes: ff84e7bfe176 ("mac80211: Add support to notify ht/vht opmode modification.")
+Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
+ACKed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3029,7 +3029,7 @@ ieee80211_rx_h_action(struct ieee80211_r
+ cfg80211_sta_opmode_change_notify(sdata->dev,
+ rx->sta->addr,
+ &sta_opmode,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ goto handled;
+ }
+ case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
+@@ -3066,7 +3066,7 @@ ieee80211_rx_h_action(struct ieee80211_r
+ cfg80211_sta_opmode_change_notify(sdata->dev,
+ rx->sta->addr,
+ &sta_opmode,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ goto handled;
+ }
+ default:
--- /dev/null
+From 9ec1190d065998650fd9260dea8cf3e1f56c0e8c Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 28 Nov 2018 22:39:16 +0100
+Subject: mac80211: fix reordering of buffered broadcast packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream.
+
+If the buffered broadcast queue contains packets, letting new packets bypass
+that queue can lead to heavy reordering, since the driver is probably throttling
+transmission of buffered multicast packets after beacons.
+
+Keep buffering packets until the buffer has been cleared (and no client
+is in powersave mode).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -439,8 +439,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i
+ if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL))
+ info->hw_queue = tx->sdata->vif.cab_queue;
+
+- /* no stations in PS mode */
+- if (!atomic_read(&ps->num_sta_ps))
++ /* no stations in PS mode and no buffered packets */
++ if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf))
+ return TX_CONTINUE;
+
+ info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;
--- /dev/null
+From 990d71846a0b7281bd933c34d734e6afc7408e7e Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 3 Dec 2018 21:16:07 +0200
+Subject: mac80211: ignore NullFunc frames in the duplicate detection
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 990d71846a0b7281bd933c34d734e6afc7408e7e upstream.
+
+NullFunc packets should never be duplicate just like
+QoS-NullFunc packets.
+
+We saw a client that enters / exits power save with
+NullFunc frames (and not with QoS-NullFunc) despite the
+fact that the association supports HT.
+This specific client also re-uses a non-zero sequence number
+for different NullFunc frames.
+At some point, the client had to send a retransmission of
+the NullFunc frame and we dropped it, leading to a
+misalignment in the power save state.
+Fix this by never consider a NullFunc frame as duplicate,
+just like we do for QoS NullFunc frames.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449
+
+CC: <stable@vger.kernel.org>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1372,6 +1372,7 @@ ieee80211_rx_h_check_dup(struct ieee8021
+ return RX_CONTINUE;
+
+ if (ieee80211_is_ctl(hdr->frame_control) ||
++ ieee80211_is_nullfunc(hdr->frame_control) ||
+ ieee80211_is_qos_nullfunc(hdr->frame_control) ||
+ is_multicast_ether_addr(hdr->addr1))
+ return RX_CONTINUE;
--- /dev/null
+From a317e65face482371de30246b6494feb093ff7f9 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 13 Nov 2018 20:32:13 +0100
+Subject: mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit a317e65face482371de30246b6494feb093ff7f9 upstream.
+
+Make it behave like regular ieee80211_tx_status calls, except for the lack of
+filtered frame processing.
+This fixes spurious low-ack triggered disconnections with powersave clients
+connected to an AP.
+
+Fixes: f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/status.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -964,6 +964,8 @@ void ieee80211_tx_status_ext(struct ieee
+ /* Track when last TDLS packet was ACKed */
+ if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
+ sta->status_stats.last_tdls_pkt_time = jiffies;
++ } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
++ return;
+ } else {
+ ieee80211_lost_packet(sta, info);
+ }
--- /dev/null
+From a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 Mon Sep 17 00:00:00 2001
+From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+Date: Thu, 18 Oct 2018 01:02:12 +0300
+Subject: mac80211_hwsim: Timer should be initialized before device registered
+
+From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+
+commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream.
+
+Otherwise if network manager starts configuring Wi-Fi interface
+immidiatelly after getting notification of its creation, we will get
+NULL pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
+ ...
+ Call Trace:
+ [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
+ [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
+ [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2889,6 +2889,10 @@ static int mac80211_hwsim_new_radio(stru
+
+ wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_CQM_RSSI_LIST);
+
++ tasklet_hrtimer_init(&data->beacon_timer,
++ mac80211_hwsim_beacon,
++ CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
++
+ err = ieee80211_register_hw(hw);
+ if (err < 0) {
+ pr_debug("mac80211_hwsim: ieee80211_register_hw failed (%d)\n",
+@@ -2913,10 +2917,6 @@ static int mac80211_hwsim_new_radio(stru
+ data->debugfs,
+ data, &hwsim_simulate_radar);
+
+- tasklet_hrtimer_init(&data->beacon_timer,
+- mac80211_hwsim_beacon,
+- CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
+-
+ spin_lock_bh(&hwsim_radio_lock);
+ err = rhashtable_insert_fast(&hwsim_radios_rht, &data->rht,
+ hwsim_rht_params);
--- /dev/null
+From 87e4a5405f087427fbf8b437d2796283dce2b38f Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Tue, 27 Nov 2018 09:12:20 +0000
+Subject: Revert commit ef9209b642f "staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c"
+
+From: Young Xiao <YangX92@hotmail.com>
+
+commit 87e4a5405f087427fbf8b437d2796283dce2b38f upstream.
+
+pstapriv->max_num_sta is always <= NUM_STA, since max_num_sta is either
+set in _rtw_init_sta_priv() or rtw_set_beacon().
+
+Fixes: ef9209b642f1 ("staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c")
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+@@ -1566,7 +1566,7 @@ unsigned int OnAssocReq(struct adapter *
+ if (pstat->aid > 0) {
+ DBG_871X(" old AID %d\n", pstat->aid);
+ } else {
+- for (pstat->aid = 1; pstat->aid < NUM_STA; pstat->aid++)
++ for (pstat->aid = 1; pstat->aid <= NUM_STA; pstat->aid++)
+ if (pstapriv->sta_aid[pstat->aid - 1] == NULL)
+ break;
+
xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch
arm64-dts-rockchip-remove-vdd_log-from-rock960-to-fi.patch
revert-x86-e820-put-e820_type_ram-regions-into-membl.patch
+cifs-fix-separator-when-building-path-from-dentry.patch
+staging-rtl8712-fix-possible-buffer-overrun.patch
+revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch
+crypto-do-not-free-algorithm-before-using.patch
+drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch
+drm-lease-send-a-distinct-uevent.patch
+drm-msm-move-fence-put-to-where-failure-occurs.patch
+drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch
+drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch
+drm-i915-downgrade-gen9-plane-wm-latency-error.patch
+kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch
+x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch
+drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch
+tty-serial-8250_mtk-always-resume-the-device-in-probe.patch
+tty-do-not-set-tty_io_error-flag-if-console-port.patch
+gnss-sirf-fix-activation-retry-handling.patch
+kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch
+libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch
+cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch
+mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch
+mac80211-fix-gfp_kernel-under-tasklet-context.patch
+mac80211-clear-beacon_int-in-ieee80211_do_stop.patch
+mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch
+mac80211-fix-reordering-of-buffered-broadcast-packets.patch
+mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch
--- /dev/null
+From 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Wed, 28 Nov 2018 08:06:53 +0000
+Subject: staging: rtl8712: Fix possible buffer overrun
+
+From: Young Xiao <YangX92@hotmail.com>
+
+commit 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 upstream.
+
+In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer
+overrun") we fix a potential off by one by making the limit smaller.
+The better fix is to make the buffer larger. This makes it match up
+with the similar code in other drivers.
+
+Fixes: 8b7a13c3f404 ("staging: r8712u: Fix possible buffer overrun")
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/mlme_linux.c | 2 +-
+ drivers/staging/rtl8712/rtl871x_mlme.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8712/mlme_linux.c
++++ b/drivers/staging/rtl8712/mlme_linux.c
+@@ -158,7 +158,7 @@ void r8712_report_sec_ie(struct _adapter
+ p = buff;
+ p += sprintf(p, "ASSOCINFO(ReqIEs=");
+ len = sec_ie[1] + 2;
+- len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1;
++ len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
+ for (i = 0; i < len; i++)
+ p += sprintf(p, "%02x", sec_ie[i]);
+ p += sprintf(p, ")");
+--- a/drivers/staging/rtl8712/rtl871x_mlme.c
++++ b/drivers/staging/rtl8712/rtl871x_mlme.c
+@@ -1358,7 +1358,7 @@ sint r8712_restruct_sec_ie(struct _adapt
+ u8 *out_ie, uint in_len)
+ {
+ u8 authmode = 0, match;
+- u8 sec_ie[255], uncst_oui[4], bkup_ie[255];
++ u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
+ u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
+ uint ielength, cnt, remove_cnt;
+ int iEntry;
--- /dev/null
+From 2a48602615e0a2f563549c7d5c8d507f904cf96e Mon Sep 17 00:00:00 2001
+From: Chanho Park <parkch98@gmail.com>
+Date: Thu, 22 Nov 2018 18:23:47 +0900
+Subject: tty: do not set TTY_IO_ERROR flag if console port
+
+From: Chanho Park <parkch98@gmail.com>
+
+commit 2a48602615e0a2f563549c7d5c8d507f904cf96e upstream.
+
+Since Commit 761ed4a94582 ('tty: serial_core: convert uart_close to use
+tty_port_close') and Commit 4dda864d7307 ('tty: serial_core: Fix serial
+console crash on port shutdown), a serial port which is used as
+console can be stuck when logging out if there is a remained process.
+After logged out, agetty will try to grab the serial port but it will
+be failed because the previous process did not release the port
+correctly. To fix this, TTY_IO_ERROR bit should not be enabled of
+tty_port_close if the port is console port.
+
+Reproduce step:
+- Run background processes from serial console
+$ while true; do sleep 10; done &
+
+- Log out
+$ logout
+-> Stuck
+
+- Read journal log by journalctl | tail
+Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0.
+Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0.
+Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty
+
+Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close")
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Rob Herring <robh@kernel.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Signed-off-by: Chanho Park <parkch98@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_port.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_port.c
++++ b/drivers/tty/tty_port.c
+@@ -640,7 +640,8 @@ void tty_port_close(struct tty_port *por
+ if (tty_port_close_start(port, tty, filp) == 0)
+ return;
+ tty_port_shutdown(port, tty);
+- set_bit(TTY_IO_ERROR, &tty->flags);
++ if (!port->console)
++ set_bit(TTY_IO_ERROR, &tty->flags);
+ tty_port_close_end(port, tty);
+ tty_port_tty_set(port, NULL);
+ }
--- /dev/null
+From 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 Mon Sep 17 00:00:00 2001
+From: Peter Shih <pihsun@chromium.org>
+Date: Tue, 27 Nov 2018 12:49:50 +0800
+Subject: tty: serial: 8250_mtk: always resume the device in probe.
+
+From: Peter Shih <pihsun@chromium.org>
+
+commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream.
+
+serial8250_register_8250_port calls uart_config_port, which calls
+config_port on the port before it tries to power on the port. So we need
+the port to be on before calling serial8250_register_8250_port. Change
+the code to always do a runtime resume in probe before registering port,
+and always do a runtime suspend in remove.
+
+This basically reverts the change in commit 68e5fc4a255a ("tty: serial:
+8250_mtk: use pm_runtime callbacks for enabling"), but still use
+pm_runtime callbacks.
+
+Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
+Signed-off-by: Peter Shih <pihsun@chromium.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_mtk.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_mtk.c
++++ b/drivers/tty/serial/8250/8250_mtk.c
+@@ -213,17 +213,17 @@ static int mtk8250_probe(struct platform
+
+ platform_set_drvdata(pdev, data);
+
+- pm_runtime_enable(&pdev->dev);
+- if (!pm_runtime_enabled(&pdev->dev)) {
+- err = mtk8250_runtime_resume(&pdev->dev);
+- if (err)
+- return err;
+- }
++ err = mtk8250_runtime_resume(&pdev->dev);
++ if (err)
++ return err;
+
+ data->line = serial8250_register_8250_port(&uart);
+ if (data->line < 0)
+ return data->line;
+
++ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_enable(&pdev->dev);
++
+ return 0;
+ }
+
+@@ -234,13 +234,11 @@ static int mtk8250_remove(struct platfor
+ pm_runtime_get_sync(&pdev->dev);
+
+ serial8250_unregister_port(data->line);
++ mtk8250_runtime_suspend(&pdev->dev);
+
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+
+- if (!pm_runtime_status_suspended(&pdev->dev))
+- mtk8250_runtime_suspend(&pdev->dev);
+-
+ return 0;
+ }
+
--- /dev/null
+From b84a64fad40637b1c9fa4f4dbf847a23e29e672b Mon Sep 17 00:00:00 2001
+From: Eric Snowberg <eric.snowberg@oracle.com>
+Date: Thu, 29 Nov 2018 18:12:20 +0100
+Subject: x86/efi: Allocate e820 buffer before calling efi_exit_boot_service
+
+From: Eric Snowberg <eric.snowberg@oracle.com>
+
+commit b84a64fad40637b1c9fa4f4dbf847a23e29e672b upstream.
+
+The following commit:
+
+ d64934019f6c ("x86/efi: Use efi_exit_boot_services()")
+
+introduced a regression on systems with large memory maps causing them
+to hang on boot. The first "goto get_map" that was removed from
+exit_boot() ensured there was enough room for the memory map when
+efi_call_early(exit_boot_services) was called. This happens when
+(nr_desc > ARRAY_SIZE(params->e820_table).
+
+Chain of events:
+
+ exit_boot()
+ efi_exit_boot_services()
+ efi_get_memory_map <- at this point the mm can't grow over 8 desc
+ priv_func()
+ exit_boot_func()
+ allocate_e820ext() <- new mm grows over 8 desc from e820 alloc
+ efi_call_early(exit_boot_services) <- mm key doesn't match so retry
+ efi_call_early(get_memory_map) <- not enough room for new mm
+ system hangs
+
+This patch allocates the e820 buffer before calling efi_exit_boot_services()
+and fixes the regression.
+
+ [ mingo: minor cleanliness edits. ]
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: <stable@vger.kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Sedat Dilek <sedat.dilek@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: YiFei Zhu <zhuyifei1999@gmail.com>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181129171230.18699-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/compressed/eboot.c | 65 ++++++++++++++++++++++++---------------
+ 1 file changed, 41 insertions(+), 24 deletions(-)
+
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -1,3 +1,4 @@
++
+ /* -----------------------------------------------------------------------
+ *
+ * Copyright 2011 Intel Corporation; author Matt Fleming
+@@ -634,37 +635,54 @@ static efi_status_t alloc_e820ext(u32 nr
+ return status;
+ }
+
++static efi_status_t allocate_e820(struct boot_params *params,
++ struct setup_data **e820ext,
++ u32 *e820ext_size)
++{
++ unsigned long map_size, desc_size, buff_size;
++ struct efi_boot_memmap boot_map;
++ efi_memory_desc_t *map;
++ efi_status_t status;
++ __u32 nr_desc;
++
++ boot_map.map = ↦
++ boot_map.map_size = &map_size;
++ boot_map.desc_size = &desc_size;
++ boot_map.desc_ver = NULL;
++ boot_map.key_ptr = NULL;
++ boot_map.buff_size = &buff_size;
++
++ status = efi_get_memory_map(sys_table, &boot_map);
++ if (status != EFI_SUCCESS)
++ return status;
++
++ nr_desc = buff_size / desc_size;
++
++ if (nr_desc > ARRAY_SIZE(params->e820_table)) {
++ u32 nr_e820ext = nr_desc - ARRAY_SIZE(params->e820_table);
++
++ status = alloc_e820ext(nr_e820ext, e820ext, e820ext_size);
++ if (status != EFI_SUCCESS)
++ return status;
++ }
++
++ return EFI_SUCCESS;
++}
++
+ struct exit_boot_struct {
+ struct boot_params *boot_params;
+ struct efi_info *efi;
+- struct setup_data *e820ext;
+- __u32 e820ext_size;
+ };
+
+ static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg,
+ struct efi_boot_memmap *map,
+ void *priv)
+ {
+- static bool first = true;
+ const char *signature;
+ __u32 nr_desc;
+ efi_status_t status;
+ struct exit_boot_struct *p = priv;
+
+- if (first) {
+- nr_desc = *map->buff_size / *map->desc_size;
+- if (nr_desc > ARRAY_SIZE(p->boot_params->e820_table)) {
+- u32 nr_e820ext = nr_desc -
+- ARRAY_SIZE(p->boot_params->e820_table);
+-
+- status = alloc_e820ext(nr_e820ext, &p->e820ext,
+- &p->e820ext_size);
+- if (status != EFI_SUCCESS)
+- return status;
+- }
+- first = false;
+- }
+-
+ signature = efi_is_64bit() ? EFI64_LOADER_SIGNATURE
+ : EFI32_LOADER_SIGNATURE;
+ memcpy(&p->efi->efi_loader_signature, signature, sizeof(__u32));
+@@ -687,8 +705,8 @@ static efi_status_t exit_boot(struct boo
+ {
+ unsigned long map_sz, key, desc_size, buff_size;
+ efi_memory_desc_t *mem_map;
+- struct setup_data *e820ext;
+- __u32 e820ext_size;
++ struct setup_data *e820ext = NULL;
++ __u32 e820ext_size = 0;
+ efi_status_t status;
+ __u32 desc_version;
+ struct efi_boot_memmap map;
+@@ -702,8 +720,10 @@ static efi_status_t exit_boot(struct boo
+ map.buff_size = &buff_size;
+ priv.boot_params = boot_params;
+ priv.efi = &boot_params->efi_info;
+- priv.e820ext = NULL;
+- priv.e820ext_size = 0;
++
++ status = allocate_e820(boot_params, &e820ext, &e820ext_size);
++ if (status != EFI_SUCCESS)
++ return status;
+
+ /* Might as well exit boot services now */
+ status = efi_exit_boot_services(sys_table, handle, &map, &priv,
+@@ -711,9 +731,6 @@ static efi_status_t exit_boot(struct boo
+ if (status != EFI_SUCCESS)
+ return status;
+
+- e820ext = priv.e820ext;
+- e820ext_size = priv.e820ext_size;
+-
+ /* Historic? */
+ boot_params->alt_mem_k = 32 * 1024;
+